"Joker is one of the most prominent malware families targeting Android devices," Zscaler researchers Viral Gandhi and Himanshu Sharma said in their report on the findings. "Despite public awareness of this particular malware, it keeps finding its way into Google's official app store by regularly modifying the malware's trace signatures including updates to the code, execution methods, and payload-retrieving techniques." Researchers immediately contacted Google, which has taken steps to remove the malicious apps. Some were surprised that the problem keeps turning up. âI truly do not understand how a company as large as Google and operating the #PlayStore could continue to allow this widescale #malware distribution. You would think that instantly these things would be scanned, if they are pointing to a Dropbox or G-drive, that will pull down a payload,â shared Aaron Lax (@MAST3R0x1A4), a system administrator, cybersecurity analyst, pentester & developer on both Twitter and LinkedIn. Cloud storage services serve as malware conduit Not a great month for Google products and security as another set of researchers find a well-known Russian-backed group of hackers is using Google Drive, as well as Dropbox, in recent advance persistent threat (APT) attacks. Researchers Palo Alto Networksâ Unit 42 say the group, known as by several names, including Cloaked Ursa, APT29, Nobelium and Cozy Bear âdemonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.â âThe use of trusted, legitimate cloud services isn't entirely new to this group,â the researchers said in a blog on the findings. âExtending this trend, we have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time. The ubiquitous nature of Google Drive cloud storage servicesâcombined with the trust that millions of customers worldwide have in themâmake their inclusion in this APTâs malware delivery process exceptionally concerning.â The hacking group has been linked to other big attack campaign in the last several years: The Democratic National Committee (DNC) hack in 2016 has been attributed to the group, as well as the SolarWinds supply chain compromises in 2020. Cybersecurity and awareness services provider Richard Freiberg (@richfreiberg) noted the storage toolsâ pervasiveness and popularity make them easy for hackers to use. âUsing Google Drive & Dropbox is a low-cost way to leverage trusted applications. You can easily get Google accounts for free and use that to collect information and host malware,â he tweeted about the news. Researchers uncover issuesâbut not flawsâin Okta New research from cloud identity and access security provider Authomize is an interesting twist on the usual vulnerability disclosure story that we typically see. Thatâs because Authomize released findings that they say uncover a number of âhigh impact security risksâ in identity provider Oktaâs platform. These issues have the potential to expose customers to password theft and impersonation, they say. Authomize CTO and cofounder Gal Diskin(@gal_diskin) tweeted a long thread with details of the research, starting with: âNew security research: #PassBleed: How to get @okta *master passwords* in *clear text* for *all employees* and several other important findings Why care? Because compromise in your IdP is *game over* for your security.â Specifically, according to a blog from Authomize, their researchers claim the risks at issue include: Clear text password extraction via SCIM; Sharing of passwords and sensitive data over unencrypted channels (HTTP); Hub & spoke configuration that allows sub-org admins to compromise accounts in the hub or other spokes downstream; Mutable identity log spoofing. But in a response blog post, Arnab Bose, SVP of product management at Okta, said the company had looked into the claims and did not consider them to be bugs. âAfter a thorough review, our internal product and security teams affirmed that the areas of concern highlighted are not vulnerabilities.â With that in mind, the company offered number of recommendations, specific to configuration of the tool in organization, to help use Okta securely. Authomize then offered their own clarification on Oktaâs response, and in a blog, stated that while they may not be flaws, they are inherent security risksâand perhaps are perhaps part of Oktaâs operational risk assessment. âFrom my POV, the answer for Okta, and every IAM solution out there, here is pretty clear. They are going to choose making a product that will allow their customers to do more, even if it increases risk. And that is probably the right way forward.â |